We take a critical look at security models that
are often used to give "provable security"
guarantees. We pay particular attention to
digital signatures, symmetric-key encryption, and
leakage resilience. We find that there has been
a surprising amount of uncertainty about what
the "right" definitions might be. Even
when definitions have an appealing
logical elegance and nicely reflect certain
notions of security, they fail to take into
account many types of attacks and do not provide a comprehensive
model of adversarial behavior.

M. Bellare and S. Duan, Partial signatures and their applications,, available online at \url{http://eprint.iacr.org/2009/336.pdf}, ().

[8]

M. Bellare, O. Goldreich and A. Mityagin, The power of verification queries in message authentication and authenticated encryption,, available online at \url{http://eprint.iacr.org/2004/309.pdf}, ().

[9]

M. Bellare, D. Hofheinz and E. Kiltz, Subtleties in the definition of IND-CCA: When and how should challenge-decryption be disallowed?,, available online at \url{http://eprint.iacr.org/2009/418.pdf}, ().

M. Bellare and S. Duan, Partial signatures and their applications,, available online at \url{http://eprint.iacr.org/2009/336.pdf}, ().

[8]

M. Bellare, O. Goldreich and A. Mityagin, The power of verification queries in message authentication and authenticated encryption,, available online at \url{http://eprint.iacr.org/2004/309.pdf}, ().

[9]

M. Bellare, D. Hofheinz and E. Kiltz, Subtleties in the definition of IND-CCA: When and how should challenge-decryption be disallowed?,, available online at \url{http://eprint.iacr.org/2009/418.pdf}, ().